Bruce Schneier argues that vendors should be held liable for vulnerable software. Software liability is a bad idea. It will lead to the death of open source, because there is nobody to sue or nobody willing to develop under threat of liability. It will lead to XBoxes and appliances as PCs since no software manufacturer in its right "mind" will want its software interacting with any other programs, with the possible outside exception of a very extensive testing and certification process.

The costs incurred will not only be higher costs of the products we buy, but the real loss with software liability is the benefits we get from all the independent developers out there, as well as their opportunity to make it big with the next "killer application" because they will be drowned in costs. Say goodbye to all the innovation coming from individuals. Say hello to Microsoft.

The way to get safer software is to regulate reporting in the same way the chemical industry uses material safety data sheets. The "Software Safety Data Sheet" would enumerate the control flow and data flow of their applications and identify all its touch points with external software. This obviously will be a large file, not for human consumption (but certainly human readable) but for input into the client-resident host intrusion prevention system that will provide the second layer of defense for software. We are already doing this after-the-fact. No reason not to have the sw manufacturers in on it.